\section{Conclusion}
\label{sec:Conclusion}

Many organisations are submitted to regulations expressed in natural language,
and usually derived into obligations. While \textsc{Mds} is already well established to manage and enforce authorization/access control requirements, several crucial challenges are still unresolved for obligation policies: how to express these regulations in terms of obligations interoperable with access control ; and how to allow runtime updates of security policy to cope with evolutions over time.

This paper addresses these key challenges by proposing an \textsc{Mds} approach
that encompasses obligation and access control, into advanced security poli-
cies. Different elements compose the Security@Runtime approach we promote,
including a \textsc{Dsl} for non-intrusive security policy specifications: security designers can express both coarse-grained and fine-grained policies. Fine granularity is required for making policies runtime-sensitive, with contexts referring to precise runtime configurations, taking into account for example field and parameter values, or runtime instances. The Security@Runtime approach has been implemented and applied for Java code systems. These evaluations, while promising, allow pinpointing several perspectives that are worth investigating in the future: (i) countering classical performance bottlenecks with techniques that would go along the same lines as \cite{KatebMTHX12} for access control, (ii) integrating usage control for enabling an even finer control of method calls in the target application, (iii) applying the Security@Runtime approach on targets different from Java code, such as component-based systems